https://community.splunk.com/t5/Splunk-Search/Getting-logs-out-of-txt-files-converted-from-wireshark-captures/m-p/29428#M177939 <P>hi misteryuku</P> <P>this is my final approach to help you with this topic ..... did you read and understand Jerrad's post? </P> <P>He was <STRONG>NOT</STRONG> using <EM>wireshark</EM>, he was using <EM>tshark</EM> with a hell lot of option to get your posted sample log in his output log. this sample log was <STRONG>NOT</STRONG> produced in this form by <STRONG>splunk</STRONG> but by <EM>tshark</EM></P> <P>try to set <EM>tshark</EM> the way Jerrad did:</P> <PRE><CODE>date=`date +"%m-%d-%y_%H-%M"` tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac &gt; /tshark/splunk/gtp/tshark_gtp_$date </CODE></PRE> <P>and index that file <CODE>/tshark/splunk/gtp/tshark_gtp_*</CODE> , forget about props.conf and transforms.conf this would lead into another bunch of questions on how to do it.</P> <P>cheers</P> <P><EM>PS: no eth3 is not your network interface and you probably don't have a /tshark/splunk/gtp/ path as well......</EM></P> Wed, 18 Apr 2012 10:40:39 GMT MuS 2012-04-18T10:40:39Z https://community.splunk.com/t5/Splunk-Search/Getting-logs-out-of-txt-files-converted-from-wireshark-captures/m-p/29427#M177938 <P>Based on the question asked on <A href="http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file">http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file</A> <BR /> Jerrad showed a sample log output. So the log output is shown in Splunk search app whenever you search for this sample log data? So how did Jerrad manage to output the sample log :</P> <P>Mar 25, 2011 03:12:25.154535000 0x0c038f47 0x1496242c 11.11.11.11 128 0x584f9ea0 10.10.10.10 00:00:00:00:00:00 00:00:00:00:00:00</P> <P>from the wireshark pcap txt file? as in GETTING LOGS OUT from the wireshark capture file in txt file? Does anyone have any idea?? </P> <P>So just to ask. That means,To get the logs form wireshark pcap txt file, set the capture settings in the first place and what you choose to save,create field extractions in props.conf and transforms.conf ?? is it?? Is that the way do do it? Overall i would like to know the whole process of doing this cos i still don't understand the answers given for the question : <A href="http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file">http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file</A> </P> Wed, 18 Apr 2012 09:19:27 GMT https://community.splunk.com/t5/Splunk-Search/Getting-logs-out-of-txt-files-converted-from-wireshark-captures/m-p/29427#M177938 misteryuku 2012-04-18T09:19:27Z https://community.splunk.com/t5/Splunk-Search/Getting-logs-out-of-txt-files-converted-from-wireshark-captures/m-p/29428#M177939 <P>hi misteryuku</P> <P>this is my final approach to help you with this topic ..... did you read and understand Jerrad's post? </P> <P>He was <STRONG>NOT</STRONG> using <EM>wireshark</EM>, he was using <EM>tshark</EM> with a hell lot of option to get your posted sample log in his output log. this sample log was <STRONG>NOT</STRONG> produced in this form by <STRONG>splunk</STRONG> but by <EM>tshark</EM></P> <P>try to set <EM>tshark</EM> the way Jerrad did:</P> <PRE><CODE>date=`date +"%m-%d-%y_%H-%M"` tshark -i eth3 -l -R "(gtp.message == 0x10) || (gtp.message == 0x11)" -Tfields -e frame.time -e gtp.teid -e gtp.teid_cp -e gtp.imsi -e gtp.msisdn -e gtp.apn -e gtp.mcc -e gtp.mnc -e gtp.lac -e gtp.rac -e gtp.user_ipv4 -e gtp.cause -e gtp.chrg_id -e gtp.gsn_ipv4 -e eth.src -e eth.dst -e gtp.ext_imeisv -e gtp.ext_sac &gt; /tshark/splunk/gtp/tshark_gtp_$date </CODE></PRE> <P>and index that file <CODE>/tshark/splunk/gtp/tshark_gtp_*</CODE> , forget about props.conf and transforms.conf this would lead into another bunch of questions on how to do it.</P> <P>cheers</P> <P><EM>PS: no eth3 is not your network interface and you probably don't have a /tshark/splunk/gtp/ path as well......</EM></P> Wed, 18 Apr 2012 10:40:39 GMT https://community.splunk.com/t5/Splunk-Search/Getting-logs-out-of-txt-files-converted-from-wireshark-captures/m-p/29428#M177939 MuS 2012-04-18T10:40:39Z https://community.splunk.com/t5/Splunk-Search/Getting-logs-out-of-txt-files-converted-from-wireshark-captures/m-p/29429#M177940 <P>Okay. Understood.</P> Wed, 18 Apr 2012 12:15:34 GMT https://community.splunk.com/t5/Splunk-Search/Getting-logs-out-of-txt-files-converted-from-wireshark-captures/m-p/29429#M177940 misteryuku 2012-04-18T12:15:34Z